Jamf Nation Community

Wrong first link. But here's the script:

#!/bin/sh

# 6.2 Turn on filename extensions

currentUser=$(ls -l /dev/console | awk '{print $3}')

sudo -u $currentUser /usr/bin/defaults write /Users/$currentUser/Library/Preferences/.GlobalPreferences.plist AppleShowAllExtensions -bool true

sleep 2

killall Finder

sleep 2

exit 0

This doesn't work for me. Are you sure it works for you? I've always had to do this with a script applying the value in the plist in the user space. I would love to get it work with a profile, but have never had any luck with that, including with this manifest above.

I briefly looked two days ago but it was on an existing machine, I haven’t checked on a fresh enrolment. I’ll test again tomorrow and see.

I thought the domain was incorrect (tried .GlobalPreferences) but looking at Apple's docs and comments here, it was taken away some time ago (when SIP was introduced maybe 10.11 or 10.12?). Other settings in that domain do work ok still.

https://developer.apple.com/documentation/devicemanagement/globalpreferences

So yes, scripting looks like the way to go for this key!

sudo -u $(ls -l /dev/console | awk '{print $3}') defaults write NSGlobalDomain "AppleShowAllExtensions" -int "1" && killall Finder 

This did not work for me. I temporarily unmarked it as a solution until we figure out the kinks. I tried changing the Preference Domain to com.apple.Finder, but still no luck. Let me know if y'all figure this out, because I would prefer a config profile over a script.

@janzaldua Not everything is settable via a Configuration Profile, and for settings that are set via Configuration Profile that will prevent a user from changing it if they don't like the setting you're deploying. For something like the file extension setting, where it could be considered a matter of taste, using a script will cause less user abrasion.

Except in cases where you are being asked to force something based on a recommendation, like from CIS. Then it would be nice to be able to force it to enabled. I agree that in the grand scheme of things, showing Finder extensions is a very minor security setting. But management in some places like to apply as much of the recommendations as possible, user personal tastes be damned. Unfortunately, this happens to be one of those settings, even though I would not personally care if we do it or not.

Agreed. I know the drawback to Config Profile is user configuration options, but some policies need to be enforced to be within compliance, as mm2270 said.

The CIS recommendation is what led me down the path to trying to find some way to manage this via profile, and ran up empty despite my best attempts. I was also hopeful the above custom schema would do it, but it doesn't. I tried applying the profile both at Computer and User levels, restarted Finder and the computer, but no luck. I honestly think this is a bug in the OS that Apple never addressed and doesn't have any interest in addressing probably. If so, I don't know if we'll ever see a profile based solution.

@mm2270 No question some settings, or some settings for some orgs, really need to be locked. I'm just still peeved that when Apple ditched MCX for Configuration Profiles they completely forgot about Manage Once and everything became Manage Always even if that isn't what one wants/needs.

And on a  different topic anyone else getting a "I'm not a robot" CAPTCHA when replying now?